[Snort-users] Snort not logging to /var/log/snort
msellers at ...17117...
Wed Mar 18 17:38:15 EDT 2015
This is a new install to a Centos 7 64-bit server
I was able to install and test the Snort software following the online guide for Centos 6/7
/usr/local/bin/snort -T -i enp5s0f0 -u snort -g snort -c /etc/snort/snort.conf
Resulted in a whole bunch of stuff, but finished with:
pcap DAQ configured to passive.
Acquiring network traffic from "enp5s0f0".
Set gid to 40000
Set uid to 40000
--== Initialization Complete ==--
,,_ -*> Snort! <*-
o" )~ Version 220.127.116.11 GRE (Build 177)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.5.3
Using PCRE version: 8.32 2012-11-30
Using ZLIB version: 1.2.7
Rules Engine: SF_SNORT_DETECTION_ENGINE Version 2.4 <Build 1>
Preprocessor Object: SF_MODBUS Version 1.1 <Build 1>
Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13>
Preprocessor Object: SF_SMTP Version 1.1 <Build 9>
Preprocessor Object: SF_SSH Version 1.1 <Build 3>
Preprocessor Object: SF_SDF Version 1.1 <Build 1>
Preprocessor Object: SF_REPUTATION Version 1.1 <Build 1>
Preprocessor Object: SF_SSLPP Version 1.1 <Build 4>
Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 3>
Preprocessor Object: SF_DNP3 Version 1.1 <Build 1>
Preprocessor Object: SF_POP Version 1.0 <Build 1>
Preprocessor Object: SF_GTP Version 1.1 <Build 1>
Preprocessor Object: SF_DNS Version 1.1 <Build 4>
Preprocessor Object: SF_IMAP Version 1.0 <Build 1>
Preprocessor Object: SF_SIP Version 1.1 <Build 1>
Snort successfully validated the configuration!
If I run:
/usr/local/bin/snort -v -i
out streams the port activity - Everything Seems Great, but when I run:
/usr/local/bin/snort -D -i enp5s0f0 -u snort -g snort -c /etc/snort/snort.conf
Spawning daemon child...
My daemon child 29197 lives...
Daemon parent exiting (0)
I note that in /var/log/snort, I now have an alert and snort.log files! BUT
nothing is ever logged to these files. No alarms are being logged.
Note: I have set ownership and permissions to /var/log/snort as follows:
chown -R snort:snort /var/log/snort
chmod -R 700 /var/log/snort
and upon creation, alert and snort.log both are owned by user/group snort
with permissions 600.
Please help me figure this out as I would really like to be using snort.
More information about the Snort-users